Group Policies Replication in progress - Sysvol related error

Guenael Sanchez 1 Reputation point
2022-09-20T20:42:40.853+00:00

Hello,

Some context first :
We have a 2 Windows 2016 AD DS servers configured with one Domain.
We would like to migrate them to Windows 2022.
So far, one of the two servers (DC1) was upgraded to 2022, the other one is still 2016 (DC2).
Everything is installed and configured in French (FYI)
Might also be important : This Domain was originally configured with 2012R2 AD DS Server, was upgraded to 2016 and has now 2016 functionnal level.

When opening Group Policy Management Console, we have a warning with the replication status of the GPOs.

The error can be (badly) translated in English by :
Sysvol Authorizations on one or more GPOs on this domain controller are not synchronized with the GPOs authorizations on the base domain controller !

![243017-image.png][1]

Followed by a list of ~20 GPO names.

We have about ~60 GPOs in total.

I think I tried all the repadmin/dcdiag/dfsrdiag I could find not showing any errors...

Worthless to say that the SYSVOL\domain on the two servers have the same file/folder/size count !

Any ideas ?

Regards,
GS

Windows for business | Windows Server | User experience | Other
Windows for business | Windows Client for IT Pros | User experience | Other
0 comments No comments
{count} votes

5 answers

Sort by: Most helpful
  1. Guenael Sanchez 1 Reputation point
    2022-09-20T20:43:34.173+00:00

    243201-image.png

    screenshot did not make it in the previous post ...

    0 comments No comments

  2. Gary Reynolds 9,621 Reputation points
    2022-09-21T09:29:34.36+00:00
    0 comments No comments

  3. Guenael Sanchez 1 Reputation point
    2022-09-21T11:03:38.87+00:00

    Hey,

    Thanks for your reply ! It seems interesting ! And thanks for the debugging on NetTools ;)

    My first guess was to create a file in sysvol folder and It's immediatly replicating on the other AD DS Server.

    But Modifying ACLs on a buggy GPO impacts local (DC1) SYSVOL GPO Folder ACLs and those ACLs are not replicated on DC2 SYSVOL GPO Folder.

    Running again dcdiag on DC2 shows some errors about unavailable RPC on DC1 (same errors about DC2 when running dcdiag on DC1):

      Démarrage du test : DFSREvent    
    
         The DFS Replication Event Log.   
         Impossible d'interroger le journal des événements DFS Replication sur  
    
         le serveur DC1.mydomain.univ.fr. Erreur 0x6ba  
    
         « Le serveur RPC n'est pas disponible. »  
    
         ......................... Le test DFSREvent  
    
          de DC1 a échoué  
      Démarrage du test : SysVolCheck  
    
         * Test de préparation de SYSVOL pour le service de réplication de  
    
         fichiers   
         SYSVOL du service de réplication de fichiers est prêt   
         ......................... Le test SysVolCheck  
    
          de DC1 a réussi  
    

    DFSREvent test fail with unavailable RPC
    SysVolCheck passes.

    when Initial connectivity and RPC tests pass on both DC1 and DC2 :

    Exécution des tests initiaux nécessaires

    Test du serveur : Default-First-Site-Name\DC2

      Démarrage du test : Connectivity  
    
         * Active Directory LDAP Services Check  
         Determining IP4 connectivity   
         Determining IP6 connectivity   
         * Active Directory RPC Services Check  
         ......................... Le test Connectivity  
    
          de DC2 a réussi  
     
    

    Test du serveur : Default-First-Site-Name\DC1

      Démarrage du test : Connectivity  
    
         * Active Directory LDAP Services Check  
         Determining IP4 connectivity   
         Determining IP6 connectivity   
         * Active Directory RPC Services Check  
         ......................... Le test Connectivity  
    
          de DC1 a réussi  
    

    Still digging...

    Regards,
    GS.

    0 comments No comments

  4. Gary Reynolds 9,621 Reputation points
    2022-09-25T12:54:46.91+00:00

    Hi @Guenael Sanchez

    You can enable additional debug information with GPMC which may help identify the reason for the ACL errors, if you create the following registry entries on the machine that is running GPMC:

    244553-image.png

    HKLM\Software\Microsoft\Windows NT\CurrentVersion\Diagnostics  
    Value: GPMgmtTraceLevel  
    Type: REG_DWORD  
    Data: 2  
    
    HKLM\Software\Microsoft\Windows NT\CurrentVersion\Diagnostics  
    Value: GPMgmtLogFileOnly  
    Type: REG_DWORD  
    Data: 1  
    

    This will result in the gpmgmt.log file being created in the %Temp% directory, i.e. TEMP=C:\Users\ADMINI~1\AppData\Local\Temp

    When you run the Detect Now on the Status tab of the GPO the log file will contains the details of the Permissions that have been found in both the AD and Sysvol. The logging seems a little inconsistent as caching seems to change what is logged and may require GPMC to be restarted a few times to get the full details into the log.

    From the testing I've done so far, it looks like the order of the permissions in the Sysvol DACL is important, while the overall permissions are the same, if they are in a different order the GPMC Status seems to report an ACLs issue as shown below.

    244498-image.png

    Gary.

    0 comments No comments

  5. Guenael Sanchez 1 Reputation point
    2022-09-25T22:41:00.98+00:00

    Hello,

    Sounds like you are right ! or at least not too far !

    Here is a snip of errors I can find in the log file :

    <ERRORS><ERROR><STATUS>SYSVOL_ACL_MISMATCH</STATUS><SECONDARY folder='1'>\DC2.mydomain.univ.fr\sysvol\mydomain.univ.fr\policies{0B7A2270-D69E-4B6E-972E-C5B0035B8179}</SECONDARY></ERROR></ERRORS></POLICY><POLICY>

    <DC>
    <NAME>DC1.mydomain.univ.fr</NAME>
    </DC>

    I need to test the latest NetTools debug options :)

    GS.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.